Description
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
Recommendation
Update the prismjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.30.0
- Patched version(s): 1.30.0
References
Related Issues
- mavo DOM Clobbering vulnerability - CVE-2024-53388
- DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - CVE-2024-47068
- Layui has DOM Clobbering gadgets that leads to Cross-site Scripting - CVE-2024-47075
- DOM Clobbering Gadget found in astro's client-side router that leads to XSS - CVE-2024-47885
- Tags:
- npm
- prismjs
Anything's wrong? Let us know Last updated on June 30, 2025